cancel
Showing results for 
Search instead for 
Did you mean: 
pcuser2009
Level 7

vundo removal - please help

Hi,
Highly appreciate all you guys helping out people like me. Please help me to get rid of this vundo.trojan that has infected my laptop.

Windows XP SP3 all updates done.
McAfee security centre - fully updated.
Use mozilla firefox browser 2.0.0.18

My spybot s&d scan found my laptop infected with virtumonde and virtumonde.prx trojans.
Not sure how I got it though.

I found this thread on this forum ...

http://community.mcafee.com/showthread.php?t=226537

... and installed malwarebytes' anti-malware scan & remove.

1st run found 18 infections of vundo trojan and removed it. I manually restarted my computer.
2nd run found 3 infections of vundo trojan and removed it. I manually restarted my computer.
still a 3rd run also finds 3 more infections.

So it appears that the virus somehow survives the removal process.

Also my system gives the following error messages everytime I login.
--------------------------------
RUNDLL

Error Loading c:\windows\system32\bamukitu.dll

The specified module could not be found.

ok
--------------------------------
RUNDLL

Error Loading c:\windows\system32\mosojabe.dll

The specified module could not be found.

ok
--------------------------------
RUNDLL

Error Loading c:\windows\system32\norefose.dll

The specified module could not be found.

ok
--------------------------------
I ran super anti spyware free edition (already installed) and that shows no infections.

I ran the online scanner from (http://www.kaspersky.com/virusscanner). (I have another question here: The online scanner asks you to disable any other anti-virus scanner running, as it may interfere with the online scan. But I am not sure if I will be opening up my laptop all kinds of invasions, by disabling the mcafee security centre? Anyway I as not sure how to disable / stop mcafee from working? I even tried stopping the real time scanner service from control panel -> services applet, but it says access is denied and could not stop.) Kaspersky online show ran anyway without any interference and showed no infections.

Followed the vundo removal instructions from mcafee.
(1) disabled system restore.
(2) Installed Process explorer. But could not find the rundll32.exe process to suspend. (Not sure why? Is the virus blocking me from suspending it?) Anyway suspended explorer.exe and winlogon.exe and ran ODS. This did not find any infections. hence no removals. but MAM still finds vundo.trojan 3 entries.
(3) reenabled system restore.

Earlier I tried logging into windows safe mode as well. Mcafee tools got disabled automatically. Is this expected?

Looked at general cleaning up of laptop and found some old Dell printer installed there that is no longer used. Tried to uninstall it. It goes thru the motions and restarts laptop but it is still not uninstalled. spybot is showed a registry change, which I allowed. Not sure if spybot is preventing the uninstall.

Here is the latest MAM scan log:

Malwarebytes' Anti-Malware 1.31
Database version: 1600
Windows 5.1.2600 Service Pack 3

04/01/2009 01:08:49
mbam-log-2009-01-04 (01-08-49).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162954
Time elapsed: 43 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\348b8cca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuzizafome (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm37b8bf56 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Sorry for asking too many questions. Please help. Many thanks.
0 Kudos
7 Replies
vinod_r2
Level 11

RE: vundo removal - please help



run a scan with MBAM and remove the infections and then ( uninstall spybot too)
Right click My computer
select properties
select system restore
put a check mark for turn off system restore
say yes to the prompt.
reboot the machine
do the same steps to turn it back on.
run the scan again and you must be good else post back again
0 Kudos
pcuser2009
Level 7

RE: vundo removal - please help

Hi Vinod,
Thanks for your reply.
Done all the steps you mentioned. As soon as I rebooted, I got the above error loading message from RUNDLL.

Error Loading c:\windows\system32\bamukitu.dll
Error Loading c:\windows\system32\mosojabe.dll
Error Loading c:\windows\system32\norefose.dll
The specified module could not be found.
ok

Started the MAM scan again. It is running again. but already it shows 3 objects infected. I am pretty sure these are the following registry keys (all belonging to Trojan.Vundo.H):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm37b8bf56

The reason I state the above is because I ran the msconfig tool and it showed the above 3 objects listed on the startup list. With msconfig, I restarted the system on the diagnostic mode with no startup items started and was able to manualy delete the following keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm37b8bf56

Also when the system is restarted in diagnostic mode, the above keys are listed at the following location and if I deleted it there somehow the trojan was writing it back.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg\

So I deleted them there too just before clicking the restart button of msconfig tool, thereby giving no chance for the trojan to recreate the disabled entries.

But as soon as I restart the system in normal mode, the trojan somehow added all the entries in startup list and was giving all the errors as before.

I also noticed that the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

had the value

C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\bamukitu.dll c:\windows\system32\tesifoti.dll,C:\WINDOWS\system32\gavuzeyi.dll, c:\windows\system32\gomuliwe.dll,C:\WINDOWS\system32\wipalego.dll

Thinking this is what causes the trojan to survive our removals, I renamed the registry key from AppInit_DLLs to AppInit_DLLs_test.

The next reboot in normal mode was successfull and for sometime MAM was showing no infections. But soon after the registry entries where added somehow and the system was ready for the RUNDLL error next time it got restarted.

What is surprising is that spybot resident program showed all the registry changes for startup list for all the other programs but not when the virus added it. This makes me wonder if my system is fully compromised so that it lies to different pieces of software and I may have to reformat the hard drive and reinstall windows XP.

I will post the MAM scan log as soon as it is completed.

regards
0 Kudos
pcuser2009
Level 7

RE: vundo removal - please help

As promised, here is the MAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1600
Windows 5.1.2600 Service Pack 3

04/01/2009 21:03:29
mbam-log-2009-01-04 (21-03-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159369
Time elapsed: 52 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuzizafome (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\348b8cca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm37b8bf56 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0 Kudos
pcuser2009
Level 7

RE: vundo removal - please help

Hi Vinod,

It appears the virus is removed.
I restarted XP again and I did not get the RUNDLL errors.
Checked the registry as well and can't find those references to DLLs.
Also checked msconfig and can't find those startup items.

Ran the MAM quick scan again and it detected no infections. Here is the latest log.

Malwarebytes' Anti-Malware 1.31
Database version: 1600
Windows 5.1.2600 Service Pack 3

04/01/2009 21:35:22
mbam-log-2009-01-04 (21-35-22).txt

Scan type: Quick Scan
Objects scanned: 58821
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Many thanks for your great help. I have started a MAM full scan as well now.

Can you please explain how it got fixed? We switched off and on the sytem restore and uninstalled spybot and the virus could not survive the MAM removal process.

Since I don't believe spybot might be causing this or don't like to believe so, Were those registry entries getting recreated from the system restore or what?

My understanding of or expectation from windows system restore is, it should restore only stuff I explicitly ask for it to be restored. Is this not the case? Can XP automatically restore stuff from previous back up files? Can you please point me to any more info on the net? Many thanks again.

I will post the log of the MAM full scan as well, as soon as it is available.

Regards,
0 Kudos
paullotion
Level 11

RE: vundo removal - please help

 

Done all the steps you mentioned. As soon as I rebooted, I got the above error loading message from RUNDLL.

Error Loading c:\windows\system32\bamukitu.dll
Error Loading c:\windows\system32\mosojabe.dll
Error Loading c:\windows\system32\norefose.dll
The specified module could not be found.



These files have been removed, since system32 is an important folder and those files were designed to run at startup, windows cannot tell the difference between a good/bad file- so it is doing is letting you know that windows cannot find those files, that pop up should dissappear.

 

Started the MAM scan again. It is running again. but already it shows 3 objects infected. I am pretty sure these are the following registry keys (all belonging to Trojan.Vundo.H):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm37b8bf56

The reason I state the above is because I ran the msconfig tool and it showed the above 3 objects listed on the startup list. With msconfig, I restarted the system on the diagnostic mode with no startup items started and was able to manualy delete the following keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm37b8bf56

Also when the system is restarted in diagnostic mode, the above keys are listed at the following location and if I deleted it there somehow the trojan was writing it back.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg\

So I deleted them there too just before clicking the restart button of msconfig tool, thereby giving no chance for the trojan to recreate the disabled entries.

But as soon as I restart the system in normal mode, the trojan somehow added all the entries in startup list and was giving all the errors as before.



This means that some file is writing those entries to the registry, you`ll need to locate whatever file is doing that.

 

I also noticed that the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs



This is an important key and is used by malware writers, see link below for more information.
http://support.microsoft.com/kb/197571

 

had the value

C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\bamukitu.dll c:\windows\system32\tesifoti.dll,C:\WINDOWS\system 32\gavuzeyi.dll, c:\windows\system32\gomuliwe.dll,C:\WINDOWS\system 32\wipalego.dll

Thinking this is what causes the trojan to survive our removals, I renamed the registry key from AppInit_DLLs to AppInit_DLLs_test.



The only value that belong there is GOEC62~1.DLL, the rest are malware, are those files still present on your system?

Please rename AppInit_DLLs_test back to AppInit_DLLs.

 

Can you please explain how it got fixed? We switched off and on the sytem restore and uninstalled spybot and the virus could not survive the MAM removal process.



System restore has nothing to do with it, unless you restore back to an earlier time, then it is possible those files could become active. That is the only way you can be infected via system restore.

This does not mean that there are no infections present.

 

My understanding of or expectation from windows system restore is, it should restore only stuff I explicitly ask for it to be restored. Is this not the case? Can XP automatically restore stuff from previous back up files? Can you please point me to any more info on the net? Many thanks again.



You can tell windows which day you wish to go back too, the problem with system restore is that the further you go back the chances of a successful system restore become less.

I would recommend you follow steps below.

Register at this Forum then follow these Steps, post the required log in that forum,not here.
0 Kudos
pcuser2009
Level 7

RE: vundo removal - please help

Hi Paullotion,

Many thanks for your replies. Here are my answers:

1. I no longer get these errors as these start up entries are removed from msconfig. Anyways these files were not present as well.
Error Loading c:\windows\system32\bamukitu.dll
Error Loading c:\windows\system32\mosojabe.dll
Error Loading c:\windows\system32\norefose.dll

2.

 


 


Quote:
Started the MAM scan again. It is running again. but already it shows 3 objects infected. I am pretty sure these are the following registry keys (all belonging to Trojan.Vundo.H):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm37b8bf56

The reason I state the above is because I ran the msconfig tool and it showed the above 3 objects listed on the startup list. With msconfig, I restarted the system on the diagnostic mode with no startup items started and was able to manualy delete the following keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\348b8cca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\nuzizafome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm37b8bf56

Also when the system is restarted in diagnostic mode, the above keys are listed at the following location and if I deleted it there somehow the trojan was writing it back.
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg\

So I deleted them there too just before clicking the restart button of msconfig tool, thereby giving no chance for the trojan to recreate the disabled entries.

But as soon as I restart the system in normal mode, the trojan somehow added all the entries in startup list and was giving all the errors as before.


This means that some file is writing those entries to the registry, you`ll need to locate whatever file is doing that.



This is what I was not able to locate. But then as per Vinod's instructions, I turned off system restore, rebooted, turned it on again, ran MBAM (which removed the trojan from the above 3 registry entries) and these registry entries are no longer written back into the registry. Hence my question if these registry entries were automatically restored by XP.

3. I too saw the microsoft support page on the AppInit_DLLs key. But also saw another page (Sorry cant link. Can't find the page anymore) where it is suggested we can delete this AppInit_DLLs key.
Also saw URL: http://blogs.msdn.com/oldnewthing/archive/2007/12/13/6648400.aspx where they are kind of suggesting that we can disable or delete it, by saying "it doesn't work any more in Windows Vista by default". On this basis, I renamed it as AppInit_DLLs_test. Also on URL: http://blogs.msdn.com/nickkramer/archive/2006/04/18/577962.aspx.

4.

 


 


Quote:
had the value

C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\bamukitu.dll c:\windows\system32\tesifoti.dll,C:\WINDOWS\system 32\gavuzeyi.dll, c:\windows\system32\gomuliwe.dll,C:\WINDOWS\system 32\wipalego.dll

Thinking this is what causes the trojan to survive our removals, I renamed the registry key from AppInit_DLLs to AppInit_DLLs_test.


The only value that belong there is GOEC62~1.DLL, the rest are malware, are those files still present on your system?

Please rename AppInit_DLLs_test back to AppInit_DLLs.




First, those malware files are not found on my system now. Not sure if they were there before and got cleaned.
GOEC62~1.DLL seems used by google desktop toolbar. Because I was going to rename the above registry key, I uninstalled google desktop toolbar, just to avoid having to fix any problems it may cause not finding the registry key.

I agree with you about renaming AppInit_DLLs_test back to AppInit_DLLs as any future XP update or any other legitimate program might need this key and will not work without this key. This is done now. But I have removed all the data value from it, as I no longer have the google desktop toolbar installed.

5.

 


 


Quote:
Can you please explain how it got fixed? We switched off and on the sytem restore and uninstalled spybot and the virus could not survive the MAM removal process.


System restore has nothing to do with it, unless you restore back to an earlier time, then it is possible those files could become active. That is the only way you can be infected via system restore.



See my answer 2 above. I think turning off system restore before virus removal is a standard preliminary step, which I had not taken. So every time I ran MBAM, it detected it and removed it from registry but then system restore was automatically restoring these values from its own back ups. By turning it off and turning it on, I had effectively destroyed all the system restores backup files. Thus when MBAM amended the registry to clean the trojan, these entries could not be restored from backup by system restore. Thus it got cleaned. Do you agree with my theory? Please reassure me. Thanks.

6.

 

This does not mean that there are no infections present.


This is quite frightening me. Also makes me wonder if my system is more fully compromised such that reformating and reinstalling XP is the only step to guarantee the virus removal. Definitely going to register with http://www.techsupportforum.com/ and post there before I decide if it needs reinstalling.

7.

 

Can XP automatically restore stuff from previous back up files?


Can you please confirm / clarify this question for me? Many thanks.

Heartfelt thanks to both you and Vinod for taking so much time and answering my queries. Very much appreciate this.

regards.
0 Kudos
paullotion
Level 11

RE: vundo removal - please help

 

1. I no longer get these errors as these start up entries are removed from msconfig. Anyways these files were not present as well.



Good.

 

Hence my question if these registry entries were automatically restored by XP.



No, only active files can write to the registry, once they have been deleted(from windows and system32 folders)they are no longer active, using system restore is the only way to bring those files back into play.

 

I too saw the microsoft support page on the AppInit_DLLs key. But also saw another page (Sorry cant link. Can't find the page anymore) where it is suggested we can delete this AppInit_DLLs key.
Also saw URL: http://blogs.msdn.com/oldnewthing/ar...3/6648400.aspx where they are kind of suggesting that we can disable or delete it, by saying "it doesn't work any more in Windows Vista by default". On this basis, I renamed it as AppInit_DLLs_test. Also on URL: http://blogs.msdn.com/nickkramer/arc...18/577962.aspx.



Not sure if deleting the AppInit_DLLs key would not cause some system instability, might have to test that one.


 

I think turning off system restore before virus removal is a standard preliminary step, which I had not taken. So every time I ran MBAM, it detected it and removed it from registry but then system restore was automatically restoring these values from its own back ups. By turning it off and turning it on, I had effectively destroyed all the system restores backup files. Thus when MBAM amended the registry to clean the trojan, these entries could not be restored from backup by system restore. Thus it got cleaned. Do you agree with my theory? Please reassure me. Thanks.



I do not recommend turning system restore off prior to cleaning up virus`s/malware/trojans- i would rather have an infected restore point than none at all.

Once a fie is in system restore(system volume information)if cannot be active, it cannot infect you any longer, unless you restore you`re system to an earlier date.
http://support.microsoft.com/kb/309531
http://www.theeldergeek.com/system_volume_information_folder1.htm

 


Can XP automatically restore stuff from previous back up files?


 

Can you please confirm / clarify this question for me? Many thanks.



No, it must be done manually.
0 Kudos